How to securely store/reference passwords
Terraform is a powerful infrastructure as code (IaC) tool that helps you build, change, and version infrastructure. It does have pros and cons like anything else, but a major benefit is that it is cloud-agnostic, meaning it can be used with multiple cloud providers.
In this lab, we’ll use AWS on windows as our cloud service provider. The components we’ll work on include:
AWS Secrets Manager: A secrets management service that helps you protect access to your applications, services, and IT resources. It will be used to store and retrieve database credentials.
Amazon RDS for PostgreSQL: A relational database service that provides you six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, etc.
EC2 Instance: Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud.
The goal here is to have our application reference a secret password value in secrets manager, instead of storing the password in plain text in our source code.
Storing plain text passwords in source code is a terrible idea, so this is an important concept.
Prerequisites
Before starting this lab, make sure that you have:
Installed Terraform on your local machine.
Installed AWS CLI and configured it with your AWS credentials.
Installed a text editor such as VS Code, Atom, or Sublime Text. I would also recommend installing the Terraform extension in your code editor.
The commands/steps below were done on Windows, if you are using Mac/Linux the terminal syntax will likely be a little different. However, the steps and the references from Terraform are the same.
Step 1: Create a New Directory and Initialize Terraform
Open a terminal in your code editor, and create a directory for our project:
mkdir terraform-aws-secrets && cd terraform-aws-secrets
CD into the directory, and initialize terraform with an init in the terminal:
terraform init
Step 2: Create a Secrets Manager Secret for Database Password
We’ll start by creating a secret in AWS Secrets Manager to store our database password. In your project directory, create a file named secret.tf and add the following code:
resource "aws_secretsmanager_secret""db_password"{
name = "db_password"
}
resource "aws_secretsmanager_secret_version""db_password"{
secret_id = aws_secretsmanager_secret.db_password.id
secret_string = "MySuperSecureDBPassword"
}
The first block creates a new secret, while the second block sets a version of that secret with the actual password as its value.
Step 3: Create an Amazon RDS Instance
Next, create an Amazon RDS instance using the password from the Secrets Manager. Create a new file named rds.tf and add the following code:
resource "aws_db_instance""example"{
allocated_storage = 20
storage_type = "gp2"
engine = "postgres"
engine_version = "13.8"
instance_class = "db.t3.micro"
username = "myusername"
password = aws_secretsmanager_secret_version.db_password.secret_string
parameter_group_name = "default.postgres13"
skip_final_snapshot = true
}
This block of code creates an RDS instance with the specified parameters and uses the password from Secrets Manager for the database password.
Step 4: Create an Amazon EC2 Instance
Create an Amazon EC2 instance that will connect to the database using the stored secret. Create a new file named ec2.tf and add the following code:
resource "aws_instance" "example" {
ami = "ami-04823729c75214919" # Replace with a region-specific Amazon Linux 2 AMI ID
instance_type = "t2.micro"
tags = {
Name = "example-instance"
}
}The code above creates an EC2 instance with the specified parameters. Please replace the AMI ID with the ID of a Linux 2 AMI ID that is specific to the region your AWS CLI is configured in, otherwise it won’t work. AMIs are region specific.
Step 5: Plan and Apply Your Configuration
After you’ve set up your resources, you’ll need to generate and show an execution plan. This is a best practice in Terraform so that you can see a preview of what changes to your infrastructure will be made:
terraform plan
After everything looks good and you get the message above, we can now run an apply to build it out:
terraform apply
Terraform will ask you for confirmation before proceeding. If everything looks good, type yes and press enter.
Note the above message says 1 resource was added, this is because I had some issues with the postgres version I initially tried to use. So, Terraform created the other 3 resources and I had to run another apply after fixing my rds.tf file.
Upon completion, you now have an RDS database, EC2 instance, and a secret with a secret password associated to it. In your source code, you would now just reference that secret instead of using the plaintext password.
Step 6: Destroy Your Infrastructure
After you’re done with the lab, you may want to destroy the resources you’ve created to avoid incurring unnecessary costs. Terraform makes this easy with the destroy command. It looks at your existing Terraform files and determines what resources exist, then deletes them.
To generate a destruction plan run:
terraform plan -destroy
This confirms that all 4 resources we created earlier will be destroyed.
Finally, we run the actual command to destroy the resources, typing yes to confirm when prompted:
terraform destroy
With the steps above, you’ve set up an AWS environment using Terraform, where you’re storing your database password in AWS Secrets Manager, an RDS instance using the password from the secret, and an EC2 instance.
Remember, in a real-world situation, you may want to use more complex passwords and ensure that your AWS and database credentials are stored securely.
Hopefully this was helpful, and best of luck on your continued journey in cloud computing.
Комментарии